CryptoSheild Infection through RIG Exploit Kit

RIG Exploits Kit has been recently noticed to spread a new variant of ransomware named as CryptoSheild. The associated cyber-criminals are using malware advertising scheme and compromised websites in order to circulate the payload of CrytoSheild. Crytpshield are the descendant of CryptoMix and was discovered by Kafeine, well-known PC researchers. The EIText (malware advertising campaign) injects the java-script code in the advertisements that call out for ransomware payload.

Our research team has concluded that Cryptoshield creates a unique ID and encryption key for every targeted machine and encrypts files stored in its drive. The extension of encrypted files is replaced with .Cryptosheild extension. Once the victim visits the infected website or the webpage hosting the malicious ads, the work-station automatically get infected. Two pop-up windows occur consecutively. One is an application error while the other is a Windows User Account Control prompt. This is followed by an text file covering the screen which contains the decryption and payment instructions.

It was identified two RIG Exploit Kit IP addresses and domains (194[.]87[.]93[.]53 for need[.]southpadreforsale[.]com, and 194[.]87[.]93[.]53 for star[.]southpadrefishingguide[.]com), as well as 45[.]63[.]115[.]214 for post-infection communication from CryptoShield. Most probably, the IP address and domains associated with RIG traffic changes regularly. The Cryptoshiled are using RIG instead of common email based campaign for circulating over Internet. There are multiple exploit kit active such as “RIG EK”, “Magnitude”, “Sundown” and so on.